Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] IMAP Storage Buffer Overflows in Asterisk's Voicemail

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] IMAP Storage Buffer Overflows in Asterisk's Voicemail
Date: 11 Oct 2007 14:42:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IMAP Storage Buffer Overflows in Asterisk's Voicemail
------------------------------------------------------------------------


SUMMARY

The function "sprintf" was used heavily throughout the Asterisk 
IMAP-specific voicemail code. After auditing the code, two vulnerabilities 
were discovered, both buffer overflows.

DETAILS

Vulnerable Systems:
 * Asterisk Open Source version 1.4.12 and prior

Immune Systems:
 * Asterisk Open Source version 1.4.13

The following buffer overflow required write access to Asterisk's 
configuration files in order to be exploited.

1) If a combination of the astspooldir (set in asterisk.conf), the 
voicemail context, and voicemail mailbox, were very long, then there was a 
buffer overflow when playing a message or forwarding a message (in the 
case of forwarding, the context and mailbox in question are the context 
and mailbox that the message was being forwarded to).

The following buffer overflow could be exploited remotely.

2) If any one of, or any combination of the Content-type or 
Content-description headers for an e-mail that Asterisk recognized as a 
voicemail message contained more than a 1024 characters, then a buffer 
would overflow while listening to a voicemail message via a telephone. It 
is important to note that this did NOT affect users who get their 
voicemail via an e-mail client.

Resolution:
"sprintf" calls have been changed to "snprintf" wherever space was not 
specifically allocated to the buffer prior to the sprintf call. This 
includes places which are not currently prone to buffer overflows.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:asteriskteam@digium.com> The 
Asterisk Development Team.
The original article can be found at:  
<http://downloads.digium.com/pub/security/AST-2007-022.html> 
http://downloads.digium.com/pub/security/AST-2007-022.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] IMAP Storage Buffer Overflows in Asterisk's Voicemail, SecuriTeam <=
Previous by Date:  [NT] Microsoft Windows DCERPC Authentication Denial of Service Vulnerability, SecuriTeam
Next by Date:  [NT] Firebird process_packet() Remote Stack Overflow Vulnerability, SecuriTeam
Previous by Thread:  [NT] Microsoft Windows DCERPC Authentication Denial of Service Vulnerability, SecuriTeam
Next by Thread:  [NT] Firebird process_packet() Remote Stack Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]